TidBITS: Comments on Examining Apple’s Security Efforts in 2012http://tidbits.com/
2012 was a watershed year for Apple’s security efforts. While dealing with significant challenges, the company made strong advances, setting the stage for strong security for years to come.en-usCopyright 2012 TidBITS Publishing Inc.Mon, 07 Jan 2013 00:00:00 ESTMon, 07 Jan 2013 00:00:00 ESTeditors@tidbits.com (TidBITS Editors)editors@tidbits.com (TidBITS Editors)TidBITShttp://tidbits.com/images/tb_logo_152x55.pnghttp://tidbits.com/
55152TidBITS badgehttp://db.tidbits.com/article/13461?rss#comments_17240
Mon, 07 Jan 2013 20:35:40 ESThttp://tidbits.com/article/13461#comments_17240My solution David, have several accounts and sow confusion.I love all of my aapl products and have done so since 1987 but it doesn't hurt to point out the flaws albeit in a non spiteful "hate everything apple" way like some contributors to this forum.]]>http://db.tidbits.com/article/13461?rss#comments_17212
Sun, 30 Dec 2012 16:15:48 ESThttp://tidbits.com/article/13461#comments_17212http://db.tidbits.com/article/13461?rss#comments_17206
Fri, 28 Dec 2012 21:49:00 ESThttp://tidbits.com/article/13461#comments_17206For one, there was the story a few months ago about the fellow whose iCloud account had been hijacked and used to destroy a lot of his data. Ok, that has been tightened up on now, I understand, but....

Yesterday, I tried to buy an app on the Mac App Store, using a Mac I have been using to buy apps since I bought it in September. I had also been using it on the iTunes Store. It told me that since this was the "first time I had used this device with the App Store", I had to answer my security questions.

So problem 1: It had either forgotten that I had used this Mac before, or perhaps had not noticed it was new until yesterday. Not good.

Then problem 2: The security questions it asked me were not the questions I had set up. Oops.

It said that if I could not remember the answers, I should go to appleid.apple.com which I did.

Problem 3: I logged in with my AppleID and it wanted to know the answers to my security questions. Ummm, that was why I was there.....

So I rang Apple and a very helpful advisor tried to reset everything to how it had been. He couldn't look at all my details.

Problem 4: He said one part of the system was telling him that I had supplied him enough confidential info to allow him to look at my account, and another part was telling him I hadn't.

In the end, he managed to get the account set up with no security information at all, and I had to re-enter it all.

So here we come to...

Problem 5: The questions it offers are the most stupid things imaginable. Maybe teenagers may be able to remember the answers, but anyone over 40 is going to have a hard time remembering unambiguously the first dish they ever cooked (breakfast cereal, toast?), the name of their favourite teacher (I cannot remember any of my teachers' names), their favourite car (I have had a number), the street they grew up in (I lived in several) and so on.

The whole point of security questions is that they be things you can remember instinctively, so they don't have to be written down. As it is, I had to make up answers with no connection to the questions. This is probably not a bad approach to security in some senses, but since the answers are not instinctive, I have had to write down the questions and answers. And in fact because I may need them while travelling, I have had to put them in a file on the Internet.

The security questions I originally had were custom questions I entered along with the answers. They were things I would never forget. This option is not available once you have your Apple ID. But - the advisor told me - if you are creating a new AppleID, you *can* make up your own questions.

So the issues are: Apple's systems had a "glitch" that wiped my security information, their so-called "security improvements" actually made security worse, and their systems are inconsistent in what they ask.

The back end systems are all a part of "security", and that bit still seems to need a lot of work.]]>http://db.tidbits.com/article/13461?rss#comments_17185
Tue, 25 Dec 2012 19:23:25 ESThttp://tidbits.com/article/13461#comments_17185http://db.tidbits.com/article/13461?rss#comments_17184
Tue, 25 Dec 2012 13:54:38 ESThttp://tidbits.com/article/13461#comments_17184http://db.tidbits.com/article/13461?rss#comments_17183
Tue, 25 Dec 2012 12:15:57 ESThttp://tidbits.com/article/13461#comments_17183"The metadata of all files in the file system are encrypted with a random key, which is created when iOS is first installed or when the device is wiped by a user. The file system key is stored in Effaceable Storage. Since it’s stored on the device, this key is not used to maintain the confidentiality of data; instead, it’s designed to be quickly erased on demand (by the user, with the 'Erase all content and settings' option, or by a user or administrator issuing a remote wipe command from a Mobile Device Management server, Exchange ActiveSync, or iCloud). Erasing the key in this manner renders all files cryptographically inaccessible." From Apple in May: http://tinyurl.com/7kc6s58]]>http://db.tidbits.com/article/13461?rss#comments_17149
Sat, 22 Dec 2012 03:31:25 ESThttp://tidbits.com/article/13461#comments_17149First, Apple is creating a monoculture by prohibiting competing Web browsers on iOS. When Internet Explorer 6 suffered serious security vulnerabilities, users could move to Firefox. With Safari, there is no choice.

Second, iOS devices lack an important security feature: the ability to turn the power off - the battery is in a sealed case that cannot be opened without special tools. Removing power is the only 100% reliable and verifiable way for a user to erase data from DRAM.]]>http://db.tidbits.com/article/13461?rss#comments_17146
Fri, 21 Dec 2012 15:58:30 ESThttp://tidbits.com/article/13461#comments_17146Vulnerabilities are always a problem. For Apple, this is especially true of the open source components they use in the OS that may get patched before Apple patches.

My focus in this piece is that Apple, like Microsoft (who is better at it), are going after disrupting malware economics. This won't prevent smaller and targeted attacks, but *will* materially reduce the risk for the entire user base.]]>http://db.tidbits.com/article/13461?rss#comments_17144
Fri, 21 Dec 2012 14:40:12 ESThttp://tidbits.com/article/13461#comments_17144It's also possible to dump the memory using DMA techniques such as the newly released Elcomsoft Forensic Disk Decryptor. The DRAM memory will likely contain all of the key material.

All versions of all Apple iOS devices will broadcast personal data out of their data ports. All app data can be read. All versions of all apps can be seen. Even IF the files are encrypted with the DPAPI or otherwise, the names of the files can be seen. I don't think you understand how much data is actually available, but check it out for yourself using these tools and methods -- http://linuxsleuthing.blogspot.com/2011/05/open-source-iphone-exploits.html

It's also possible to gain access to the kernel and userland memoryspaces by installing a malicious app from the App Store, or through an exploitable app such as the browser -- http://securecoding.sudo.rm-f.org/archives/2012/09/27/iphone_safari_crash]]>http://db.tidbits.com/article/13461?rss#comments_17143
Fri, 21 Dec 2012 14:21:29 ESThttp://tidbits.com/article/13461#comments_17143http://db.tidbits.com/article/13461?rss#comments_17141
Fri, 21 Dec 2012 12:34:46 ESThttp://tidbits.com/article/13461#comments_17141Oh, and as for sales, I thought the whole point of selling stuff was to make money. I think most businesses (the ones that stay in business, anyway), would consider the dollar value of sales to be kind of important.]]>http://db.tidbits.com/article/13461?rss#comments_17138
Fri, 21 Dec 2012 09:31:40 ESThttp://tidbits.com/article/13461#comments_17138Those comments turned me off right away.]]>http://db.tidbits.com/article/13461?rss#comments_17136
Fri, 21 Dec 2012 05:24:36 ESThttp://tidbits.com/article/13461#comments_17136This is doubly worrying as Apple is clearly not eating its own dogfood with sandboxing, or at least not as much as they are asking third-party developers to do so.]]>http://db.tidbits.com/article/13461?rss#comments_17123
Thu, 20 Dec 2012 16:09:31 ESThttp://tidbits.com/article/13461#comments_17123We have had many of these discussions in person and we clearly disagree. I'll leave it at that, and we can talk about it more next time we see each other.]]>http://db.tidbits.com/article/13461?rss#comments_17118
Thu, 20 Dec 2012 15:38:18 ESThttp://tidbits.com/article/13461#comments_17118Worst of all: when the data is at rest (i.e. when it should be LEAST vulnerable), all Apple devices can be made to cough up most or all data that resides on their SSDs or NAND flash -- let alone DRAM.

All of these other protections you mention matter little in light of the entry points and associated attack surface that I have described above.

OS X and iOS are not SELinux. They are not GRSecurity. They are not Windows Server 2012. Apple has not come a long way.]]>http://db.tidbits.com/article/13461?rss#comments_17116
Thu, 20 Dec 2012 14:40:50 ESThttp://tidbits.com/article/13461#comments_17116